Bohdan Melnykov
Last known affiliation: Checkpoint
Bio: From his earliest days, Bohdan Melnykov has been captivated by the inner workings of the world, fueled by insatiable curiosity. His journey began with a passion for enhancing mobile phones through various customizations and modifications. As the years unfolded, the fascination led to the intricate mechanisms of mobile malware investigation. With a keen eye for detail, Bohdan delved into understanding the core operations of these digital threats. This pursuit of knowledge brought him to the Check Point Research team, where his hobby seamlessly transformed into a profession. In this dynamic environment, Bohdan had the privilege of unraveling the mysteries of malware, constantly pushing boundaries to discover new techniques used by system exploiters.
Raman Ladutska 🗣 | Bohdan Melnykov
Abstract (click to view)
When malware actors want to enter the business, they can choose markets where their profit is almost guaranteed to be worth the effort – according to past results. The malware does not need to be high profile, just careful selection of the audience and the right market can be enough.
This is the exact case that we observed in South Korea when we encountered an Android Trojan named FakeCalls. This malware can masquerade as one of more than 20 financial applications and imitate phone conversations with bank or financial service employees – perform the attack called voice phishing, or vishing.
Vishing attacks have a long history in the South Korean financial market. The problem was so serious that it even drew the attention from the government that resulted in a careful investigation and subsequent report: financial losses due to voice phishing constituted approximately 600 million USD in 2020, with the number of victims reaching as many as 170,000 people in the period from 2016 to 2020. Knowing these facts, we understand why exactly this country and this market were chosen by FakeCalls.
We discovered more than 3500 samples of the FakeCalls malware that used a variety of combinations of mimicked financial organizations and implemented several new anti-analysis techniques. In our presentation we describe all of the encountered anti-analysis techniques, and show how to mitigate them, refer to the history of South Korean vishing attacks and speak about the key details of the malware functionality.